Solved

Active Directory Remote Users Prevent Cache Logon

Posted on 2014-03-20
4
489 Views
Last Modified: 2014-03-26
Hello all,
I have been asked to find a solution for securing corporate PC information from access of remote personnel upon their termination, we are using VPN.
Basically, if the business terminates an employee they want to ensure the user will not be able to log in to the Laptop they were issued, and no longer onto the domain. The domain side is the easy part but how would I immediately be able to reach out and secure the machines for these remote users, so they can no longer log in with the cached credentials?
I was told of a way via SCCM that may facilitate but can find nothing related.
Please, any direction and help is appreciated because I do not want to be the next to be released here.

Kry
0
Comment
Question by:kryanC
  • 2
4 Comments
 
LVL 16

Assisted Solution

by:R. Andrew Koffron
R. Andrew Koffron earned 334 total points
ID: 39943104
just need to set a group policy, and join the machines to the Domain prior to deployment,

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

 Network Access:
Do not allow storage of credentials or .NET Passports for network authentication

if you can recall machines pretty easy plug em in and force a gpupdate.  if they remain external I don't know how to fire it retroactively to external VPN clients I'm not sure, I'd think you'd have to create a local GPO update and a script to download it each machine and fire it locally. I've never had any consistent success getting things to work over VPN.

but going forward just make sure your initial deployment stops cacheing
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 166 total points
ID: 39943510
The above setting will stop cached login for working employees as well in home

Once you disabled user account for terminated user, make sure that you have disabled its mailbox, emails and any other logins (VPN, internet data card etc) it might have immediately

Now even if user is able to login offline with cached credentials, it can't do any thing practically
0
 
LVL 16

Accepted Solution

by:
R. Andrew Koffron earned 334 total points
ID: 39943612
keep in mind that policy changes need to be made updated by the log in process, so remote machines have already authenticated. when they get to the VPN stage, and If you remove caching, you'll need to set them to use a VPN/Dial-up in order to boot up/login, Prior to logging into the remote machine, and that will ONLY work when their internet connection is on and VPN is up and running, and may render machines completely useless unless each machine has a local profile, and a local profile wouldn't apply a domain Policy.

sort of a catch 22 I don't know a good way around it either.
0
 

Author Closing Comment

by:kryanC
ID: 39956960
Thanks to all. Catch 22 is the best way of illustrating how to force it and kill there ability to work offline at the same time if I want to protect the data.
If anyone has a third party solution or any other ideas I would be interested because the "business" says that they are sure there is such a solution but can't remember what it is.
Thanks again,

Kry
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Remote Desktop Connections allow you to control remote host machines via the magic of the Internet and RDP (Remote Desktop Protocol). For the purposes of this article we will assume you are connecting from your home PC or laptop to a remote offic…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now